Description
SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, 2011, allows an authenticated attacker to include invalidated data in the HTTP response Content Type header, due to improper input validation, and sent to a Web user. A successful exploitation of this vulnerability may lead to advanced attacks, including cross-site scripting and page hijacking.
CVSS breakdown
CVSS 3.0
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Affected products
- SAP_SE / SAP Commerce Cloud< 1808 – < 1808
- SAP_SE / SAP Commerce Cloud< 1811 – < 1811
- SAP_SE / SAP Commerce Cloud< 1905 – < 1905
- SAP_SE / SAP Commerce Cloud< 2005 – < 2005
- SAP_SE / SAP Commerce Cloud< 2011 – < 2011